Showing results for 
Search instead for 
Did you mean: 
Create a Post
Policy Management

Have a general question related to SmartConsole and/or SmartDashboard? This is the place to ask! For questions related to configuring Access Policy, including VPN, NAT, and Identity Awareness, ask in the Access Control Products space.

Timothy_Hall inside Policy Management 3 hours ago
views 16939 24 33

R80+ Change Control: A Visual Guide

As mentioned in the article Revisions Management in R80.x, I do have an informal writeup I use when teaching CCSA R80.10 that helps summarize how R80+ Change Control and Revisions are handled for the inevitable questions that arise in class.  This document is a sprucing up of those notes complete with some new screenshots.Absolutely no way this document would have been possible without the incredible contributions of Tomer Sole and in particular these articles with content contributed by him:How to revert a Policy or discard changes? Revisions Management in R80.x How do you rollback an old policy? What follows is merely a roll-up of Tomer's content from an operational perspective, with some new screenshots I have put together.  I hope you find it useful.Part 1: What are you about to do?You are in the process of making changes in the SmartConsole and are unsure (or have lost track of) what you have done due to one of your coworkers constantly interrupting you.  If still in an unpublished session, you can see what changes are pending by enabling the Session Pane (only available in R80.10+ management) like this:This will create a new pane on the far right of the SmartConsole where you can see pending unpublished changes:This information can be very helpful when deciding to publish or discard a session.  Another way to find pending unpublished rule changes in your current session is to look for "Edited" Access Control rules, indicated by default using a purple line in the Smart Scrollbar:Note that the colored lines in the Smart Scrollbar will also by default show rule locks currently held by other administrators (dark grey) and search results (yellow) by default.  You can even make section titles (light grey) and a selected/highlighted rule (blue) show up as well:For more information about the Smart Scrollbar and some other great tips for efficiently navigating a large rulebase in the SmartConsole, see this post:What are some of the tips and tricks for jumping between rules in the rulebase?So you have now published your session and think you are ready to install policy to the gateway.  A very good habit to get into prior to installation is looking at how many changes you are about to make:Along the top of the screen, you should ALWAYS look at how many sessions and by how many administrators will be part of what you are about to deploy on the gateway.  Note that this is the total number of changes made in the SMS config since policy was last installed to this particular gateway, and not every change counted here is necessarily part of this gateway's security configuration or will impact how it operates.  If you see sessions and changes that are unfamiliar or unexpected though, it is a very good idea to hit the View Changes button to see exactly what will be included:Along the top of the screen is a summary of all the different published sessions whose changes will be included if you install policy to the gateway.  As shown above you can highlight one of those sessions, and then select the Audit Logs tab to see a very detailed list of exactly what changes were made in that particular highlighted session. Let's assume that everything looks OK and you proceed to install policy to the gateway.Part 2: The Panic ButtonYour phone is ringing nonstop, people are pounding on your door, and it has all gone horribly wrong!  Some very bad change got implemented when you pushed policy to the gateway at the end of the last section and it is impacting production traffic.  You need to fix what you did RIGHT NOW.  Thankfully the Installation History screen will be your savior in this case:The first Installation Date shown above (1/15/2018) represents the most recent policy push (which is probably what messed everything up), just highlight one of the older installations below it, then click Install Specific Version like this:When you hit Install, a previously installed known-good copy of the firewall policy will be installed and hopefully undo whatever bad change was installed to the gateway.  Note that doing this does not change any configurations shown to you in the SmartConsole, it ONLY changes what is installed on the gateway back to a good config that was previously installed.  If you hit the Install Specific Version "panic button", install the older policy to the gateway, then reinstall the current security policy again, you will be right back in the "panic" situation again!So hopefully you have been able to halt the endless door pounding and phone ringing by hitting the "panic" button as shown.  You have bought yourself some time to now figure what boneheaded change was made by one of your coworkers (or you!) that caused this unfortunate situation to occur.Part 3: The InvestigationWhile the Installation History screen is typically associated with "panic" reverts of gateway policies as shown in the last section, the View Installed Changes button on that same screen can be very handy for examining the specific changes in a suspect revision that came after the one you reverted to in the prior section:To see even more information about a certain session, hit the View button which will bring up a read-only copy of the SmartConsole showing the exact state of the configuration after that particular highlighted session was published:By this time you may have some suspicions that a certain policy layer and its rules may have been changed in a way that caused the "panic" situation to occur.  If so select the policy layer in question, then select Actions...History:A nice concise list of all changes made in that policy layer in the various sessions is presented.  If you want to see the history of only a specific rule that you suspect is the culprit, simply highlight the rule and click its History tab:You can also view all changes on the screen below if you aren't sure exactly where to look:Suppose you have now identified a specific policy layer that was messed with and caused the panic situation to occur.  If there were a multitude of changes made and you don't want to manually back all of them out, you can Revert the policy layer configuration back to a specific point in time, thus discarding the changes made in one or more revisions like this:In our example above we will be removing (or undo'ing) a total of 5 changes made in the two published sessions just above the one we selected.Part 4: Your Final OptionIf you still can't determine what changes caused the problem, your last ditch effort is to look at the raw system-wide Audit logs like this:This technique was also possible in R77.30 with the Audit/Management tab of the SmartView Tracker.  The SmartWorkflow product also has some nice change reports in that version.Hopefully you found this writeup useful, please let me know if you have any other change control techniques that were missed and I'll be happy to add them.  Thanks again to Tomer Sole‌!-- Second Edition of my "Max Power" Firewall Book Now Available at
Nadav_Hellman inside Policy Management yesterday
views 83 3 1

Understanding of policy checking

Hey guys,Kinda new to checkpoint and want to understand the product better.I know its very basic, but its very crucial for troubleshooting and really understanding the product.Can someone please refer me to a sk, or give an in-depth explanation of the subject.I know that in R80 and above, the product works in ordered layers.When a connection matches a rule in the first layer, it goes on the second layer and so on and so on...Now my question is, when does the NAT policy and threat prevention policy come in place? When does the firewall examine those policies ? Afer the access control policies, in parellel etc ...Thank you !
HeikoAnkenbrand inside Policy Management Tuesday
views 1087 24 37

R80.x - Policy Installation Flowchart

Policy Installation Flow Policy installation process has several stages: 1)  Assuming the initiation was made by the SmartConsole the web service policy installation command is sent to the Check Point management (CPM) on the management server. 2)  The first stage is the process that CPM convert the objects with Java from new DB language/ files to the old set language and to files. Then the policy installation process is verifying compiling it to a "language" the security gateway can understand and implement. The verification and compilation stages are performed by the FWM and in the future by CPM process.Note: The translated policies of CPM for FWM can be found for the „Standard“ policy here:$FWDIR/conf/Standard.W 3)  FWM process is responsible for code generation and compilation. For example, the process reads the policy from „$FWDIR/conf/Standard.W“ and other files and use them for the policy verification and conversion. The FWM process performs verification and conversion of the files and database information for the installation targets for which policy installation is requested. For this the fw_loader of the corresponding Check Point version is started to verify and convert the policy.Note: For the corresponding Check Point versions, the fw_loader and other tools can be found in the following path on a R80.30 management server:             /opt/CPsuite-R80.30/fw1/bin/fw_loader                      R80.30             /opt/CPR7520CMP-R80.30/bin/fw_loader                   R75.20, R75.30              /opt/CPR7540CMP-R80.30/bin/fw_loader                   R75.40, R75.45, R75.46, R75.47             /opt/CPR76CMP-R80.30/bin/fw_loader                       R76, R76SP to R76SP.50             /opt/CPR77CMP-R80.30/bin/fw_loader                       R77, R77.10, R77.20, R77.30             /opt/CPR75CMP-R80.30/bin/fw_loader                       R75, R75.10One question that keeps coming up is. Which config files are used on the management server to compile policies with user specificlally INSPECT code?For this purpose, different directorys are used for each Check Point gateway version according to the above scheme similar to fw_loader.              /opt/CPsuite-R80.30/fw1/lib                                         R80.30             /opt/CPR7520CMP-R80.30/lib                                      R75.20, R75.30              /opt/CPR7540CMP-R80.30/lib                                      R75.40, R75.45, R75.46, R75.47             /opt/CPR76CMP-R80.30/lib                                          R76, R76SP to R76SP.50             /opt/CPR77CMP-R80.30/lib                                          R77, R77.10, R77.20, R77.30             /opt/CPR75CMP-R80.30/lib                                          R75, R75.10Here are the most important config files, which we can customize Check Point INSPECT code individually:      |-> user.def                                          ->  User-defined implied rules that can be added in Check Point INSPECT language (sk98239)       |-> fwui_head.def                  |-> table.def                             -> Definitions of various kernel tables for Check Point security gateway (sk98339)                   |-> auth.def                  |-> base.def                            |-> crypt.def                   -> VPN encryption macros (sk98241)                            |-> services.def                            |-> proxy.def                            |-> crypt.def4)  After code generation and compilation, the FWM process invokes the Check Point Policy Transfer Agent (CPTA) command that sends the policy to all applicable security gateways. 5)  The CPD process on the security gateway on port 18191 receives the policy files and save this in the following directory „$FWDIR/state/__tmp/FW1“ on the security gateway. The file integrity of the policy will checked now. Once complete, the cpd invokes“fw fetchlocal“ to load the new policy with the following command from the temporary policy directory: fw fetchlocal -d $FWDIR/state/__tmp/FW1 6)  The FWD process on the security gateway updates all of the user-mode processes responsible for enforcement aspects. These include VPND process for VPN, FWSSD processes for security server issues and so on. All security server daemons running on the gateway are notified of the new policy by FWD and adjust their behavior accordingly, which could include restarting, stopping or starting if a new feature was enabled. 7)  The new policy is loaded into the INSPECT kernel instances while traffic is still being queued. This process happens very quickly.  Chain sequences are rebuilt, and may end up adding or removing chain modules from the sequences if blades were enabled or disabled since the last policy push. The new policy is prepared, the Check Point kernel holds the current traffic and starts queuing all incoming traffic. The atomic load takes place. This process should take a fraction of a second. At this point if "Connection Persistence" is set to "Rematch connections" on the gateway object, a CPU-intensive rematch of all open connections against the new policy is performed to ensure that all current connections are still allowed by the new policy.  Note SecureXL: If enabled SecureXL is restarted as well and recalculates its various state tables based on the new policy. During policy load, SecureXL is disabled and re-enabled afterwards. Here I am not quite sure if this is the case with R80.20 as well. 8).  The traffic queue on firewall kernel is released and all of the packets are handled by the new security policy. 9)  The CPD waits for fw_fetchlocal to complete the process and then informs the management server of the command's status installation succeeded or failed. 10)  The FWM process received the policy installation status from CPD process from security gateway and then presents them in SmartConsole. Note:Here I am not 100% sure whether the FWM or the CPM distributes the policy installation information to the SmartConsole. According to sk115557, this should be the FWM. Firewall Processes   CPM Process CPM process is responsible for writing all information to the PostgreSQL and SOLR databases. All the communications between the different GUI clients are done through web services. Is a component within CPM. Whenever we connect to the SmartCenter server with SmartConsole we are basically opening a connection from the GUI machine to the CPM process „java à solr-solrj-v4_X_X.jar“ on the SmartCenter server over port 19009 via web service. web_services is a component within CPM process that serves GUI and remote client (like remote API) and responsible to transfer the request to the dleserver DLE server (dleserver) is a component within the CPM server that contains all the logic of the server to writing the info to the database and SOLR object_store is a component within the CPM server, responsible to write the information to SOLR search engine and to the PostgreSQL database PostgreSQL DB The CPM process is also responsible to perform all database tasks, such as: creating objects removing objects modifying objects Whenever we create an object via SmartConsole we are basically sending a command to the CPM process on the SmartCenter server requesting it to create the object or changing it. SOLR SOLR is the Full Text Search engine that contains full clone of all data from PostgreSQL database. FWM ProcessThe FWM process is used for installing security policy to the backward compatibly R7x.x security gateways after the CPM process converts the objects from Java to old policy file format. It runs only on management products such as security management server, log server, SmartEvent, etc. Serving the embedded GUI clients and authentication requests Collecting statuses Policy compilation for backward compatibly R77.X security gateways VSX database operation SIC operations via SmartConsole Database install License attach and detach from SmartUpdate Some of management HA functionality Performs legacy operations CPD Process The CPD process runs on all Check Point products (security management server products as well as security gateways). There are 3 major responsibilities: SIC - we contact CPD process during SIC negotiation to validate and/or push the certificate. If the CPD process on a certain security gateway is down, policy installation on that security gateway will fail due to a SIC issue.  After SIC was established, the rest of the communication to the security gateway will be via port 18191. Status collection - the FWM process requests the CPD process for the statuses from security gateways and security management server and then presents them in SmartView monitor. If the CPD process is down, we will not be able to receive the gateways and security management statuses in SmartView Monitor. Installing security policy on the security gateway. FWD Process The FWD process is responsible for sending and receiving the logs from the different Check Point entities to the security management\log server (sometimes they are on the same machine). On Security Management server side: FWD process listens on port 257, waiting for logs to be sent from various security gateways that are connected to it. On the security gateway side: FWD process opens a connection to the FWD on the log\security management server on port 257. SK’s sk33208 - How to debug FWM daemon on Multi-Domain Management / Provider-1 sk86320 - How to debug the CPD daemon sk86321 - How to debug FWD daemon sk112334 - How to debug SmartConsole / SmartDashboardsk115557 - R80.x Security Management server main processes debugging  sk103918 - Policy installation fails with the error "Operation failed, install/uninstall has been improperly terminated"  
Scott_Paisley inside Policy Management Tuesday
views 250 3 2

R80.20 URL filter blocks HTTP, but allows HTTPS even though log shows reject

We are just turning on URL filtering in the estate.Categorize HTTPS sites is enabled.We have rule that is set to DROP, with a Block message for certain sites or categoriesIf we visit, the log shows a BLOCK and we get the block page on the client machine.If we visit the same site with, the log shows REJECT, but the website opens on the client.The CN on the certificate maches the name of the site.I have a support ticket open, but anyone else seen this or solved it? 
Mahesh_Patil inside Policy Management Monday
views 213 7

Rrror while pushing policy that is policy installation failed due to internal error in R80.20M2

We have 6200 + policy in one of policy package. while pushing policy getting error message Policy installation failed due to internal error, if problem persist contact Checkpoint support.I have reduce number rules less than 6K able to validate Policy.Is any rule line or rule compilation limit in R80.20M2.  
Soren_Kristense inside Policy Management Monday
views 263 4

identity Awareness using endpoint server

HiIn the setup i an using i have 1 Smartcenter for management of the firewalles.I also have a other Smartcenter for management for all the Endpoints.I there a way to make the firewalles user the endpoint setup as a identity source?The endpoint server has all the information that i need. GreetingsSøren Kristensen
Abdelmalek inside Policy Management Monday
views 120 1

Sync commuincation failed

I have a problem when I do a reboot in the gateway security.The gateway lose a sync communication with the SMS and the output of fw stat command is ; default filter, that the policy dosen't loaded from Security Management Server Could you help me please ? 
fahmiazlan7 inside Policy Management Friday
views 221 1 1

Office 365 Management Activity API

Hi, I'm new in this community, I would like to ask related to Office 365 Management activity API, I have set up SIEM log collector from Logrhythm and I have configured to collect logs from one of service from Azure platform which is Office 365 Mgtmt API, the issues is, unable to collect logs from Office 365, I have allowed IP's provided by Microsoft as below,belong to domain I have created policy to allowed these IP's, but still failed to collect. I was checked my configuration are correct, I was do testing to another network environment without Checkpoint, its work.  Any idea on this? what I need to config?,,,,,,,,,,,,,,,,,, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64
Ivo_Hrbacek inside Policy Management a week ago
views 231 1 1

url fitering for suffix

hey folks, just wondering how to achieve task like this, I have some github repos, which should be allowed via check point acting as a proxy with https inspection enabled. rest to github should be blockedallow url: url:  https://github.comfrom my perspective there is always CONNECT before communication is established to github, when tested I can see traffic never pass via allow url since block url affecting ssl handshakes and so on..any idea how to do achieve mentioned task?thx
inside Policy Management a week ago
views 2701 1 1

Set Installation Target for Policies

(view in My Videos)I created a brief video explaining how to set the installation target for a given policy in Check point R80.10 Management.   Set Installation Target for Policy Layer | 
Martin_Valenta inside Policy Management a week ago
views 227 2

policy name change on install - does it drop all connections?

Hello when doing policy install on gateway with changed policy name you get prompt to confirm if you want to install different policy name on it.Does it drop all active connections when this is done?
Howard_Gyton inside Policy Management a week ago
views 279 2

R80.30 - Services port conflict recurring

When we push policy, it succeeds but we get a warning stating that there are multiple services which both have 'Match for any selected'.When I first did this there were 10 pairs, so I worked through those.  At the next policy push it found another two.  And the next.  And the one after that.I don't know why, but it is drip feeding me information and doesn't list them all.  At every change I make another new pair appear for some reason.Is this expected?  If so, it's not very user friendly as I would prefer to fix them all in one go.Howard
Daniel_Westlund inside Policy Management a week ago
views 213 2

adding Application Control Web Browsing Services

Customer wants to add a wildcard URL to an allow rule in Application Control, but wants it to be for port 81.  The only way I can see to do this is to go into the App Control Advanced Settings and add port 81 to be allowed for all sites, which he is not comfortable with.  I told him that the site would still be blocked because it's not allowed via his security rules, but am wondering if there's a better answer than that. 
OmidDjahanpour inside Policy Management a week ago
views 217 2

SmartConsole R80.20 Undo Changes Without Discarding

Hello, This is my first post on this forum, and I had a rather simple question. I'm still learning my way around R80.20, and I was hoping someone could help me figure out this simple request. Is there an easy way to undo change(s) that were done to let's say the rulebase without having to discard the entire session and start again? For example, you accidently delete the wrong rule in the rulebase and rather than discarding the entire session, you perform an "undo" function similar to CTRL + Z. I already have the session pane enabled from the Check Point Labs, but aside from it telling me what change I've made, it doesn't allow me to undo a certain change. I've had a few cases where I've made several changes, and had to discard the session due to some changes which I later discovered might cause issues. I understand that I could reverse the action via recreating what was done and tracked by the session pane, but I guess this is more of a convenience that I'm looking for. Thanks for reading. Your assistance is appreciated.
Lijo_mathai inside Policy Management a week ago
views 759 14

Unable to clone policy package in R80.20

Hi, after upgrading to R80.20 and applying take 47, i am unable to clone the existing policy package. Is there anything i am missing. I checked there is no validation error for the name i used to clone, but still i am unable to clone the policy. Attached is the error i faced.